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<doc> 

<regexp-query> 

<name>Possible SGID Exploit</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 



<line>.*exec args=.*pid=\ ( (\d+) \) ; ppid=\ ( \d+\) ; uid=A(\d+\); euid- 
\(\d+\); gid=\( [1-9] \d*\) ; egid=\ (0\ ) . *</line> 



<line>. *args=\ < [\-\w\\\/ ]+\); pid=\(\d+\); ppid=\ ( %1%\ ) . *</line> 
</next> 



<line>.*args=\( ( [\-\w\\\/ ]+)\) . *ppid=\ ( %1%\ ) .*</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 



</actionpair> 
</procmatch> 
<annotation> 

<text>Possible SGID Exploit: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 



<next> 



</next> 
<next> 



</pattern> 
<procmatch> 



<actionpair> 




<doc> 

<regexp-query> 

<name>Possible SUID Exploit </name> 
<properties> 

<priority>10< /prior ity> 
</properties> 
<pattern> 

<next> 

<line>.*exec args= . *pid=\ ( ( \d+ ) \ ) ; ppid=\ (\d+\) ; uid=\ ( [1-9] \d*\) 
euid=\{0\) . *</line> 
</next> 
<next> 

<line>.*args=\(.+\) ; pid=\(\d+\); ppid=\ (%1%\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\( .+)\) ; pid=\(\d+\); ppid=\ (%1%\) . *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 

</procmatch> 

<annotation> 

<text>Possible SUID Exploit: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>All Processes</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>. *proclog. *args=\ ( ( [\-\. \w\\\/ ] + ) \) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args-\< { [\-\.\w\\\/ ]+)\) .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 
</annotation> 
</ regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Find Processes ... </name> 
<properties> 

<priority>10< /prior ity> 
</properties> 
<args> 

<args> . +</args> 

<pid>\d+</pid> 

<ppid>\d+</ppid> 

<uid>\d+</uid> 

<euid>\d+</euid> 

<gid>\d+</gid> 

<egid>\d+</egid> 
</args> 
<pattern> 

<next> 

<line>. *args=\ (%args%\) ; pid=\ (%pid%\) ; ppid=\ (%ppid%\) ; 
uid=\ (%uid%\) ; euid=\ (%euid%\) ; gid=\ (%gid%\) ; egid=\ (%egid%\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>. *args=\ ( ( .+) \) ; pid« *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</ actionpair> 



</procmatch> 

<annotation> 

<text>Process started: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name>All Shell-spawned Processes</name> 
<properties> 

<priority>10</priority> 
</properties> 
<pattern> 

<next> 

<line>.*exec args=\ (-sh\) ; pid=\ ( ( \d+) \ ) . *</line> 

</next> 

<next> 

<line>. *args=\ ( ( [\-\w\\\/ ]+) \) . *ppid=\ ( %1%\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*args=\ ( ( [\-\w\\\/ ]+) \) . *ppid=\ (%1%\) .*</line> 
<action> 

<highlight/> 

<varop var="agg n >%ll</varop> 
</action> 



</ actionpair> 
</procmatch> 
<annotation> 

<text>Executed from a shell: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name> Incoming Connect ions< /name > 
<properties> 

<priority>10< /prior ity> 
</properties> 
<pattern> 

<next> 

<line> ♦ *incoming connection f rom=\ ( . +\ ) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line> . ^incoming connection f rom=\ ((.+):(.+) \ ) 
to=\ {(.+):{.+) \) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= "f romip">% l%</varop> 
<varop var= "f romport " >%2%</varop> 
<varop var= "toip">%3%</varop> 
<varop var= "toport ">%4 %</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Incoming Connection From IP: %fromip% (on port: %fromport%) To 
IP: %toip% (on port: %toport% ) </text> 

</ annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Keystrokes Entered</name> 
<properties> 

<prior i ty>10< /prior it y> 
</properties> 
<pattern> 

<next> 

<line>. *read stream data, id=\((\d+)\) data=\ ( . +\) . *</line> 
</next> 

<next fromprev="l"> 

<line>. *read stream data, id=\(%l%\) data=\ { . *\\0 [ad4] . *\ ) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 



<line>.*read stream data, id=\(%l%\) data=\ ( ( . +) \) . *</line> 
<action> 

<highlight/> 

<delete/> 

<varop var="agg">%l%</varop> 



</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Keystrokes Entered: %agg%</text> 
</annotation> 
</regexp-query> 
</doc> 




<doc> 

<regexp-query> 

<name>Screen Output </name> 
<properties> 

<priority>10< /prior ity> 
< /proper ties> 
<pattern> 



<next> 

<l±ne>.*write stream data, id=\ ( (\d+) \ ) data=\ ( . +\) . *</line> 
</next> 

<next f romprev-"l"> 

<line>. *write stream data, id=\(%l%\) 



<line>. *write stream data, id=\(%l%\) data=\ ( ( . +) \ ) . *</line> 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 



</ action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Output to screen: %agg%</text> 
</annotation> 
</ regexp-query> 
</doc> 



data=\(.*\\0[ad4 6] .*\) .*</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 




<doc> 

<regexp-query> 

<name>Find Monitored</name> 
<properties> 

<priority>10</priority> 
</properties> 
<args> 

<f ile_name> . +</ f ile__name> 

<pid>\d+</pid> 
</args> 
<pattern> 

<next> 

<line> . ^monitored file opened name=\ ( %f ile__name%\ ) 
pid~\ (%pid%\) . *</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. ^monitored file opened name=\ ( ( . + ) \ ) 
pid=\ ( ( .+) \) .*</line> 

<action> 

<highlight/> 
<delete/> 

<varop var= fr filename ">%l%</varop> 
<varop var="pidvar">%2%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>File Opened: %filename% (from pid: %pidvar%)< 
</annotation> 
</regexp-query> 
</doc> 



